From: "U.Mutlu" <um@mutluit.com>
To: netfilter@vger.kernel.org
Subject: [iptables/ipset] Bug? -m set --match-set myset src --packets-gt 2 -j ...
Date: Mon, 16 Oct 2023 21:22:37 +0200 [thread overview]
Message-ID: <652D8D7C.4080803@mutluit.com> (raw)
Hi,
could a kind soul please check why the ipset "match-set" rule below isn't working.
It jumps to the chain MY2 only if "--packets-gt 0" or
"--packets-gt 1" is used, but not for any higher values! :-)
I'm new to ipset, but this very much looks like a bug in iptables or ipset, IMHO.
firewall.sh :
-------------
#...
ipset destroy blacklist
ipset create blacklist hash:ip hashsize 4096 timeout 300 counters
ipset destroy bl2
ipset create bl2 hash:ip hashsize 4096 timeout 600 counters
#...
iptables -N MY2
#...
iptables -A MY2 -j RETURN
#...
iptables -A INPUT -j SET --exist --add-set blacklist src
iptables -A INPUT -m set --match-set blacklist src --packets-gt 2 -j MY2
#...
Thx
OS is stock Debian 11 ("bullseye"):
# iptables --version
iptables v1.8.7 (nf_tables)
# ipset --version
ipset v7.10, protocol version: 7
# uname -a
Linux p21 6.1.0-0.deb11.11-amd64 #1 SMP PREEMPT_DYNAMIC Debian
6.1.38-4~bpo11+1 (2023-08-08) x86_64 GNU/Linux
# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
...
next reply other threads:[~2023-10-16 19:22 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-16 19:22 U.Mutlu [this message]
2023-10-16 19:54 ` [iptables/ipset] Bug? -m set --match-set myset src --packets-gt 2 -j Jozsef Kadlecsik
2023-10-16 23:30 ` U.Mutlu
2023-10-17 0:43 ` U.Mutlu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=652D8D7C.4080803@mutluit.com \
--to=um@mutluit.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.